Australian whistleblower legislation has been amended by The Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Cth) (the Act). The purpose of the Act is to amend the Corporations Act 2001 (Cth) (Corporations Act) to broaden the whistleblower protection regime contained in Part 9.4AAA of the Corporations Act.

The changes in the whistleblower legislation will see comprehensive protection for whistleblowers who report misconduct about companies and company officers.

These changes came into effect from 1 July 2019 but will require companies that fall within the ambit of the Corporations Act to have a whistleblower policy in place from 1 January 2020.

Continue Reading

Why is the legislation changing?

Several forces at play have brought about these changes:

  • A need for legislative change – the previous whistleblower protection regimes were fragmented and involved a number of different pieces of legislation.
  • The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry – highlighted the extent of company misconduct and stressed the need to promote a more ethical corporate culture and to encourage and protect whistleblowers to speak up.
  • Global trends – other countries around the world have already put in place whistleblower protection legislation (USA, UK and France among others) and Australia, as a member of the G20, committed to increase its whistleblower protections.
  • #metoo movement – whilst this movement focused on sexual harassment, it was a genesis for the rise of individuals speaking up on relevant issues, whether they be financial misconduct or other.

Who does the whistleblower legislation apply to?

The amendments to the Corporations Act apply to ‘regulated entities’ in the corporate, financial and credit sectors. This is broad and means it will apply to the majority of businesses in these sectors.

Regulated entities include companies, foreign corporations, trading or financial corporations formed within the limits of the Commonwealth, Authorised Deposit Institutions, insurers, life companies, superannuation entities and other prescribed entities.

What is changing?

The key reforms contained in the Act are:

  • broadening the whistleblower definition to include both current and former employees, officers, associates and contractors, as well as their spouses, dependents, and other relatives, and to allow for anonymous disclosures;
  • extending the protections to include whistleblower reports that allege misconduct or an improper state of affairs or circumstances about any matter covered by financial sector laws or relating to any Commonwealth offence that may be punishable by imprisonment of 12 months or more;
  • creating civil penalty provisions in addition to the existing criminal offences, for causing detriment to (or victimising) a whistleblower and for breaching a whistleblower’s confidentiality;
  • giving protections for whistleblowers, in certain circumstances, if they go public with concerns about dangers to the public or matters in the public interest;
  • providing whistleblowers with easier access to compensation and remedies if they suffer detriment;
  • removing the requirement for a whistleblower report to satisfy a ‘good faith’ test to access the protections (although a report solely about a personal workplace grievance is not covered by the protections); and
  • from 1 January 2020, requiring all public companies, large proprietary companies, and corporate trustees of registrable superannuation entities to have a whistleblower policy in place.

Some highlights of the new disclosure rules

Under the new reforms, more people can make a disclosure and anonymous disclosures are now permitted.  If a company is dealing with an anonymous disclosure, it must be careful how it investigates this and must ensure the identity of the whistleblower is kept confidential.

Also, what is now deemed to be a disclosable matter has changed. Current whistleblowing protections are limited to circumstances where the discloser has ‘reasonable grounds’ to suspect that the company, an officer or an employee of the company has contravened the Corporations Act. However, the new protections apply to the disclosure of information which the discloser has ‘reasonable grounds’ to suspect ‘concerns misconduct, or an improper state of affairs or circumstances in relation to the company or a related body corporate.  This is a much lower threshold for what is a disclosable matter.

We note that the new laws open the whistleblower protections to a large range of disclosures but these protections do not apply to workplace grievances and the law is clear that these remain under the Fair Work Act 2009 (Cth).

The other key change to the disclosure rules is to remove the requirement of good faith when making a disclosure, making the reason for the disclosure irrelevant.

What you can do to be prepared for the new whistleblower legislation

Processes and policies need to be developed and enhanced in order for businesses to prepare for these new reforms. Education and training of key staff especially those authorised to receive disclosures is vital.

  1. Update your current whistleblower policy to comply with the new protections. If you don’t have a policy, put one in place.
  2. Educate senior managers and employees on the new laws so they know how to deal with a whistleblower complaint when they receive one.
  3. Update your governance framework to ensure that all protected disclosures are handled and investigated fully in keeping with the law reforms.
  4. Provide training to all employees to ensure they are aware of the company whistleblower policy and what constitutes unlawful conduct under the new reforms.
  5. Ensure the employee training covers all the conduct breach areas and in particular what detrimental conduct is and how to maintain anonymity.
  6. Have a think about whether your company wants to use an external provider to receive whistleblower complaints – the Corporations Act allows regulated entities to use external helplines to receive whistleblower complaints.

 Who must have a whistleblower policy?

All public companies, large proprietary companies, and proprietary companies that are the trustees of registrable superannuation entities must have a whistleblower policy. This policy must be made available to all officers and employees of the company and make clear the following things:

  • the protections available to whistleblowers;
  • to whom qualified disclosures can be made and how they can be made;
  • the support available for whistleblowers; and
  • how the company will investigate disclosures and ensure fair treatment of employees.

Failing to comply with the requirement to have a whistleblower policy in place by the 1 January 2020 deadline may result in a fine.

Fines and penalties for breaches of whistleblower laws

The new laws don’t hold back when it comes to fines and penalties for both civil and criminal offences.

There are three key areas of conduct that will attract penalties if breached:

  1. Detrimental conduct – this is conduct that causes any detriment to a person and includes making threats to cause any detriment to that person. ‘Detriment’ is defined very broadly to include dismissal, victimising, alteration to position, discrimination, harassment, injury in employment or damage to reputation.
  2. Confidentiality – the identity of a whistleblower must be kept confidential.
  3. Failure to have a compliant whistleblower policy
Breach of conduct Criminal penalties Civil penalties

Engaging in detrimental conduct


For an individual – $50,400 (240 penalty units) or imprisonment for 2 years or both.


For a body corporate -$504,000 (2400 penalty units).


For an individual – $1,050,000 (5000 penalty points) or 3 times the benefit derived, or detriment avoided.


For a body corporate – $10,500,000 50,000 penalty points, 3 times the benefit derived, or detriment avoided or 10% of the body corporate’s annual turnover (up to $525m, 2.5m penalty units).


Breaching anonymity


For an individual – $12,600 (60 penalty units) or imprisonment for 6 months or both.


For a body corporate – $126,000 (600 penalty units).


For an individual – $1,050,000 (5000 penalty points) or 3 times the benefit derived, or detriment avoided.


For a body corporate – $10,500,000 50,000 penalty points, 3 times the benefit derived, or detriment avoided or 10% of the body corporate’s annual turnover (up to $525m, 2.5m penalty units).


Failure to have compliant whistleblower policy


For an individual – $12,600 (60 penalty units).


For a body corporate – $126,000 (600 penalty units)



Which statutory bodies oversee the whistleblower legislation changes?

The Australian Securities and Investment Commission (ASIC) is responsible for enforcing the new corporate whistleblower protection regime. ASIC’s Office of the Whistleblower will oversee the implementation of the reforms from their commencement on 1 July 2019.

Whistleblowers can make protected disclosures directly to ASIC or the Australian Prudential Regulation Authority (APRA).

Companies can expect that disclosures made to ASIC or APRA, whether directly by the whistleblower or by the company having received a whistleblower disclosure may well trigger investigatory steps by the regulator who receives that information.

What do the regulators expect?

Depending on the outcome of initial enquiries by regulators, further enforcement action may occur. ASIC has publicly adopted a ‘why not litigate’[1] stance in relation to enforcement, and both ASIC and APRA have taken steps towards further cooperation between them.

Companies should expect that if ASIC commences an investigation, ASIC will ask for their whistleblower policy when the whistleblower policy provisions take effect. ASIC has issued guidance to companies about its expectations around whistleblower policies that may be accessed here.

How can a D&O insurance policy respond?

In general terms, a D&O insurance policy may cover individuals (directors and officers) for investigation costs, defence costs and civil fines and penalties arising out of a breach of the whistleblower laws. It does not cover the entity/company for investigation costs, fines or penalties. Finally, a D&O policy will not cover any criminal fines and penalties relating to a breach of the whistleblower laws.

Each policy needs to be reviewed individually. Speak to your broker to find out how your organisation’s D&O policy will respond.

What other insurance options are available?

Statutory liability policies provide indemnity for fines and penalties.[2]  For example, under Liberty International Underwriters’ Statutory Liability and Workplace Health and Safety insurance policy, a statutory liability claim includes any civil proceeding, criminal proceeding, alternative dispute resolution proceeding, or formal administrative or regulatory proceeding issued or brought by a regulatory authority against an insured, alleging or arising from a statutory breach.

This policy can cover an entity/company for investigation costs, defence costs and civil fines and penalties arising out of a breach of the whistleblower laws. This cover is subject to the limits, deductibles, terms and conditions set out in the schedule. In a claim type scenario, the company as well as the directors and key employees may be named in an ASIC or APRA investigation or civil proceeding. Having this policy can provide cover for employees and the entity itself.

There are two key exclusions under the policy (‘certain acts’ and ‘conduct’) to be aware of and these relate to intentional breaches of the law and fraudulent and dishonest acts.

The ‘certain acts’ exclusion excludes cover for any claim, investigation, or loss arising out of, or in connection with any actual or alleged breach of the responsibilities, obligations or duties imposed by sections’ 182, 183 (directors duties of care to the company) and 601 of the Corporations Act ‘certain acts’. Please note this exclusion does not apply in respect of an actual or alleged breach arising from negligent conduct that is not deliberate or reckless.

The ‘conduct’ exclusion excludes cover for any claim, investigation or loss arising out of, based upon or attributable to any dishonest, reckless, fraudulent or malicious act or omission by an insured and any wilful breach of duty, or wilful violation or breach of any law or regulation. It does provide cover for any insured who is not the perpetrator, did not know or has not condoned such act or omission.  Where it is alleged that the insured has engaged in conduct excluded by the ‘conduct’ exclusion, the insurer will advance defence costs until a court finding.  In that scenario the insurer will advance defence costs for a claim that involves a breach of law; but if the entity or individual is found to have committed the offence, they will not be entitled to indemnity and defence costs will have to be re-paid.

Contact Aon to discuss how your insurance program will respond in light of these recent changes to the whistleblower legislation.


[2] Subject to full policy terms, conditions and exclusions.


Want to keep up to date with our insights?

Privacy Policy